In this blog post, we will discuss how we developed a human-readable machine learning system that is able to determine whether a downloaded file is benign or malicious in nature.

The development of this actionable intelligent system stemmed from the question: How can we make our knowledge about global software download events actionable? More specifically, how can we use such information to do a better job at detecting the threats posed by the large amounts of new malicious software circulating on a daily basis?

In this last installment of this blog series, we will answer such questions and give a summary of what we did with the information we’ve obtained. Our research paper titled Exploring the Long Tail of (Malicious) Software Downloads provides a more comprehensive look into how we’ve gathered and analyzed our software downloads data.

As a large cyber security vendor, Trend Micro deals with millions of threat data per day. Our Smart Protection Network (SPN), among other technologies, helps us conduct research and investigate new threats and cybercrimes to improve our ability to protect our customers.

In this blog post, the first of a three-part series, I would like to share some insights on trends that we have observed in the wild after analyzing 3 million software downloads, involving hundreds of thousands of internet-connected machines.

Specifically, we turn our focus on web downloads originating from browsers or any other (HTTP) client application installed on a machine. Note that we limited the study to machines that execute software after download. Given the huge quantity of data, we also limited our research to unpopular software downloaded from URLs that were not whitelisted. This automatically excludes software from Windows Updates and other well-known domains. All this information is PII anonymized.

We classify these downloads as benign (legitimate software), malicious or unknown. Unknown means that the downloaded software is currently unknown to us or to other public data sources that we monitor.

Security Predictions for 2020

Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.Read our security predictions for 2020.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.